Wordpress brute force password attack using XML-RPC API

All code and information for educational purposes only

Starting a series of posts about web security, which also a passion of mine besides development.
The first published post on this topic about getting admin password for wordpress using XML-RPC API and brute force attack. Second choice may be a direct brute force attack via post form on ‘wp-login.php’ which may be more complex during
‘Account Lockout Policy’ and other things, which I will cover in other post.

What is XML-RPC?

The XML-RPC is an API that enables developers create WordPress ‘apps’ (like clients, plugins and themes), that allow you to make remote HTTP requests to your WordPress site…(link to full article)
The simplest way to check if XML-RPC API enabled(default) in your wordpress is by open your browser and entering something like http://127.0.0.1:8080/xmlrpc.php, if response you see is ‘XML-RPC server accepts POST requests only.’, XML-RPC API enabled.

Other great tools for wordpress password brute force

Let’s do it

Let’s start to build simple script which will find admin password for wordpress using dictionary, I am using simple sucuri dictionary as default for out brute force attack.
We will use ‘wp.getUsersBlogs’ method for our purposes, to retrieve the blogs of the users. This method receives username and password and returns array of values. In case of success we getting array with user’s info, otherwise xmlrpc call throws exception, see the code below to understand better.